1 |
Speaking as a professional paranoid (and a long-time lurker on this |
2 |
list), I'd prefer to see PGP/GnuPG signature verification as a default |
3 |
setting. Trusting the MD5 hash, as the sole guarantor of integrity, is |
4 |
insane ^h^h^h^h^h^himprudent, and invites mischief. |
5 |
|
6 |
As far as key distribution goes, you can either use: |
7 |
|
8 |
1) the straight-up 'web-of-trust' option using PGP keys. This would be |
9 |
onerous because it would require every key to be manually imported, |
10 |
e.g., from every development group |
11 |
|
12 |
2) the CA model, where X.509 keys are issued to developers but descended |
13 |
from a common (private) root. Verification of a given cert would require |
14 |
showing only that the cert came from the trusted chain and hasn't been |
15 |
revoked: |
16 |
|
17 |
openssl verify [-CApath directory] cert.pem |
18 |
|
19 |
...plus a script for pulling and using the CRLs. |
20 |
|
21 |
Both approaches have their pros and cons. |
22 |
|
23 |
Andrew |
24 |
|
25 |
J Holder wrote: |
26 |
> Ed Grimm said: |
27 |
> |
28 |
>>On Tue, 17 Feb 2004, Brian Klauss wrote: |
29 |
>> |
30 |
>> |
31 |
>>>What I don't understand then is the problem with security of ebuilds. |
32 |
>>>If we can validate that the MD5 hash is consistent with the published |
33 |
>>>hash, then the package would be considered secure and case is |
34 |
>>>effectively closed? |
35 |
>>>Right? |
36 |
>> |
37 |
>>And how do you know the published hash? Are there not entities in the |
38 |
>>datastream that could alter both the file you download and the MD5 that |
39 |
>>you download? Especially if, as I think I've seen, emerge gets the MD5 |
40 |
>>hash from the same source as it gets the source packages. However, even |
41 |
>>in the case of multiple mirrors, either the primary FTP server could've |
42 |
>>been cracked, or the datastream could be hijacked at the local ISP, |
43 |
>>inserting an altered datasream for each file. |
44 |
>> |
45 |
>>Using a PGP/GPG signature would reduce the questions of trust down to |
46 |
>>'do we trust the gentoo devs', 'do we trust PGP', and 'do we trust the |
47 |
>>PGP signature'. Right now, we're also having to trust the primary FTP |
48 |
>>server, our local mirror, and all the net in between them and us, |
49 |
>>including our ISP, as they're all placed such that they could substitute |
50 |
>>alternate versions of both files, and we'd be none the wiser. Some |
51 |
>>people believe that is perfectly acceptable. Others do not. |
52 |
>> |
53 |
>>One could use an X509 sig instead of a PGP sig, although my impression |
54 |
>>is that fewer people are familiar with those. On the other hand, they |
55 |
>>do have a more refined chain of trust (at least, if you go with an |
56 |
>>existing CA rather than your own.) |
57 |
> |
58 |
> |
59 |
> I tend to agree with this point. So far extreme vigilance on the part of |
60 |
> the gentoo admins protected us from a potential problem when there was |
61 |
> previously a breakin. But in the long run, PGP or some similar |
62 |
> alternative would be a whole lot safer. |
63 |
> |
64 |
> The really big issue is getting that kind of infrastructure in place. Do |
65 |
> we have each gentoo dev sign the files he/she is responsible for? I think |
66 |
> we can dismiss the possibility of using one key to sign everything. Maybe |
67 |
> a key for each software group would be feasible? |
68 |
> |
69 |
> |
70 |
> -- |
71 |
> gentoo-security@g.o mailing list |
72 |
> |
73 |
|
74 |
|
75 |
-- |
76 |
Andrew Jaquith |
77 |
Program Director |
78 |
@stake, Inc. |
79 |
196 Broadway |
80 |
Cambridge, MA 02139 |
81 |
USA |
82 |
|
83 |
Direct: 617.768.2711 |
84 |
Mobile: 617.501.3278 |
85 |
Fax: 617.621.1478 |
86 |
Email: ajaquith@×××××××.com |
87 |
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x898CF546 |
88 |
|
89 |
|
90 |
-- |
91 |
gentoo-security@g.o mailing list |